Books

Anatomy of DNS DDoS Attack

Open Recursion + Amplification = DDoS on Steroids

By combining IP spoofing, open recursion and amplification, attackers execute a DNS DDoS amplification attack in the following sequence. The attacker gathers a zombie army. He composes a large amplification record and inserts it in the domain name zone file of a name server (his own or one he has compromised). The attacker then commands his zombies to issue a continuous stream of DNS requests for the amplification record via name servers that provide open recursion. In the DNS requests, every zombie uses the targeted name server’s Internet address rather than its own.

If an open recursive name server has not processed a previous request for the amplification record, it issues a DNS request on behalf of a zombie and retrieves the amplification record from the compromised name server. The amplification record is cached by the open recursive server, which then composes a DNS response containing the amplification record. The open recursive servers think they are returning DNS responses to the zombies that made the original request, but the responses are forwarded to the targeted name server. The targeted name server is now hammered with responses to DNS requests it never made. The large DNS responses arrive as multiple IP packet fragments, which must be reassembled. This both increases the processing load at the target and enhances the deception. Because the response spans several IP fragments, and only the first fragment contains the UDP header, the target may not immediately recognise that the attack is DNS-based.

The results can be quite devastating. Depending on the countermeasures in place and the robustness of the name server infrastructure attacked, service provided by a name server operator can be degraded, seriously impaired, or even brought to a halt.